Debian Bug report logs - #631975
OOB memory access caused by negative vq notifies (CVE-2011-2512)

version graph

Package: qemu-kvm; Maintainer for qemu-kvm is Michael Tokarev <mjt@tls.msk.ru>; Source for qemu-kvm is src:qemu.

Reported by: Michael Tokarev <mjt@tls.msk.ru>

Date: Tue, 28 Jun 2011 20:33:01 UTC

Severity: grave

Tags: patch, security, sid, squeeze, upstream

Found in versions qemu-kvm/0.12.5+dfsg-5+squeeze3, qemu-kvm/0.14.1+dfsg-1

Fixed in versions qemu-kvm/0.14.1+dfsg-2, qemu-kvm/0.12.5+dfsg-5+squeeze4

Done: Michael Tokarev <mjt@tls.msk.ru>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Jan Lübbe <jluebbe@debian.org>:
Bug#631975; Package qemu-kvm. (Tue, 28 Jun 2011 20:33:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Tokarev <mjt@tls.msk.ru>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Jan Lübbe <jluebbe@debian.org>. (Tue, 28 Jun 2011 20:33:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Michael Tokarev <mjt@tls.msk.ru>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: OOB memory access caused by negative vq notifies (CVE pending)
Date: Wed, 29 Jun 2011 00:31:04 +0400
Package: qemu-kvm
Version: 0.12.5+dfsg-5+squeeze3
Severity: grave
Tags: upstream security squeeze sid

The virtio_queue_notify() function checks that the virtqueue number is
less than the maximum number of virtqueues.  A signed comparison is used
but the virtqueue number could be negative if a buggy or malicious guest
is run.  This results in memory accesses outside of the virtqueue array.

This can be triggered by malicious guest - unprivileged guest user can
either crash the qemu process or, possible, gain extra privileges on
the host.

Additional information:
http://patchwork.ozlabs.org/patch/94604/ (upstream patch)
https://bugzilla.redhat.com/show_bug.cgi?id=717399

The problem affects both sqeeze and sid versions.  It is present in
lenny too, but that one is hopeless (we should provide fixes for
lenny backports instead).




Added tag(s) pending and patch. Request was from Michael Tokarev <mjt@tls.msk.ru> to control@bugs.debian.org. (Tue, 28 Jun 2011 21:24:03 GMT) Full text and rfc822 format available.

Bug Marked as found in versions qemu-kvm/0.14.1+dfsg-1. Request was from Michael Tokarev <mjt@tls.msk.ru> to control@bugs.debian.org. (Tue, 28 Jun 2011 21:24:03 GMT) Full text and rfc822 format available.

Changed Bug title to 'OOB memory access caused by negative vq notifies (CVE-2011-2512)' from 'OOB memory access caused by negative vq notifies (CVE pending)' Request was from Michael Tokarev <mjt@tls.msk.ru> to control@bugs.debian.org. (Thu, 30 Jun 2011 06:03:08 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Jan Lübbe <jluebbe@debian.org>:
Bug#631975; Package qemu-kvm. (Thu, 30 Jun 2011 06:18:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Tokarev <mjt@tls.msk.ru>:
Extra info received and forwarded to list. Copy sent to Jan Lübbe <jluebbe@debian.org>. (Thu, 30 Jun 2011 06:18:03 GMT) Full text and rfc822 format available.

Message #16 received at 631975@bugs.debian.org (full text, mbox):

From: Michael Tokarev <mjt@tls.msk.ru>
To: Michael Tokarev <mjt@tls.msk.ru>, 631975@bugs.debian.org
Cc: rt@rt.debian.org
Subject: Re: Bug#631975 [rt.debian.org #3254]: OOB memory access caused by negative vq notifies (CVE-2011-2512)
Date: Thu, 30 Jun 2011 10:15:24 +0400
[Message part 1 (text/plain, inline)]
29.06.2011 00:31, Michael Tokarev wrote:
> Additional information:
> http://patchwork.ozlabs.org/patch/94604/ (upstream patch)
> https://bugzilla.redhat.com/show_bug.cgi?id=717399
> 
> The problem affects both sqeeze and sid versions.  It is present in
> lenny too, but that one is hopeless (we should provide fixes for
> lenny backports instead).

Actually, lenny version (kvm-72) is _not_ affected, -- the original
first implementation was correct, the bug has been introduced later
when the code has been refactored and moved to a separate function.
So only squeeze and sid versions are affected (and bpo50).

I updated both packages in collab-maint git (and the bugreport)
to mention the newly assigned CVE-2011-2512 (renamed the patch
accordingly and updated the changelog entry).  New debdiff is
attached.

Thank you!

/mjt
[qemu-kvm_0.12.5+dfsg-5+squeeze3_qemu-kvm_0.12.5+dfsg-5+squeeze4.debdiff (text/plain, attachment)]

Reply sent to Michael Tokarev <mjt@tls.msk.ru>:
You have taken responsibility. (Thu, 30 Jun 2011 12:06:04 GMT) Full text and rfc822 format available.

Notification sent to Michael Tokarev <mjt@tls.msk.ru>:
Bug acknowledged by developer. (Thu, 30 Jun 2011 12:06:10 GMT) Full text and rfc822 format available.

Message #21 received at 631975-close@bugs.debian.org (full text, mbox):

From: Michael Tokarev <mjt@tls.msk.ru>
To: 631975-close@bugs.debian.org
Subject: Bug#631975: fixed in qemu-kvm 0.14.1+dfsg-2
Date: Thu, 30 Jun 2011 12:03:23 +0000
Source: qemu-kvm
Source-Version: 0.14.1+dfsg-2

We believe that the bug you reported is fixed in the latest version of
qemu-kvm, which is due to be installed in the Debian FTP archive:

kvm_0.14.1+dfsg-2_amd64.deb
  to main/q/qemu-kvm/kvm_0.14.1+dfsg-2_amd64.deb
qemu-kvm-dbg_0.14.1+dfsg-2_amd64.deb
  to main/q/qemu-kvm/qemu-kvm-dbg_0.14.1+dfsg-2_amd64.deb
qemu-kvm_0.14.1+dfsg-2.debian.tar.gz
  to main/q/qemu-kvm/qemu-kvm_0.14.1+dfsg-2.debian.tar.gz
qemu-kvm_0.14.1+dfsg-2.dsc
  to main/q/qemu-kvm/qemu-kvm_0.14.1+dfsg-2.dsc
qemu-kvm_0.14.1+dfsg-2_amd64.deb
  to main/q/qemu-kvm/qemu-kvm_0.14.1+dfsg-2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 631975@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Tokarev <mjt@tls.msk.ru> (supplier of updated qemu-kvm package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 29 Jun 2011 00:53:54 +0400
Source: qemu-kvm
Binary: qemu-kvm qemu-kvm-dbg kvm
Architecture: source amd64
Version: 0.14.1+dfsg-2
Distribution: unstable
Urgency: high
Maintainer: Jan Lübbe <jluebbe@debian.org>
Changed-By: Michael Tokarev <mjt@tls.msk.ru>
Description: 
 kvm        - dummy transitional package from kvm to qemu-kvm
 qemu-kvm   - Full virtualization on x86 hardware
 qemu-kvm-dbg - Debugging info for qemu-kvm
Closes: 631975
Changes: 
 qemu-kvm (0.14.1+dfsg-2) unstable; urgency=high
 .
   * virtio: guard against negative vq notifies -- fixes a guest-triggerable
     bug in virtio implementation (CVE-2011-2512) (Closes: #631975)
     Urgency is high due to security fix.
Checksums-Sha1: 
 54d817e1eeac450e45d960662ad037ae329509a1 1698 qemu-kvm_0.14.1+dfsg-2.dsc
 9fa9ff7bbf0e9699cc3c7dba3a03573840e0cb56 24806 qemu-kvm_0.14.1+dfsg-2.debian.tar.gz
 f3cbfda6d8d860179a8d489962f5373848cd50e7 1274594 qemu-kvm_0.14.1+dfsg-2_amd64.deb
 0a50d63033febd5267f23c536ba97ebf1167ec2d 3319678 qemu-kvm-dbg_0.14.1+dfsg-2_amd64.deb
 0c14de717a55cc814e64d4056f13a7a7f22b6da9 8858 kvm_0.14.1+dfsg-2_amd64.deb
Checksums-Sha256: 
 4e799e793dee357cecb12295eaf34d846076eb52e9ca6c898c811067878a5f07 1698 qemu-kvm_0.14.1+dfsg-2.dsc
 f35dfe4a953f44a39f3fdc030fa7b794a7c56016773791249ce4e41df75f68b9 24806 qemu-kvm_0.14.1+dfsg-2.debian.tar.gz
 712d5794bde18b8b83d51359094f11f72637c0ca03f625787a663ed4998c85de 1274594 qemu-kvm_0.14.1+dfsg-2_amd64.deb
 e124fe6c58f55dba388519301c772145ae79d0bc67f90f8236c97eb3ad9f35b7 3319678 qemu-kvm-dbg_0.14.1+dfsg-2_amd64.deb
 3573b4683f05e992b1ecfb587e8d63e16c5ab0fb4e0a15efd0a6b70e6cb45be8 8858 kvm_0.14.1+dfsg-2_amd64.deb
Files: 
 4d78f2268bb6768dc215432463f8b03e 1698 misc optional qemu-kvm_0.14.1+dfsg-2.dsc
 9f73a92ede70a1eccc83b450622cf440 24806 misc optional qemu-kvm_0.14.1+dfsg-2.debian.tar.gz
 07e9494649d3873dfee6b530545b0290 1274594 misc optional qemu-kvm_0.14.1+dfsg-2_amd64.deb
 bb94aa793b4b96e9fa5bba3ee0377be6 3319678 debug extra qemu-kvm-dbg_0.14.1+dfsg-2_amd64.deb
 73bcf1bc57acfa20643f33885126b2f5 8858 oldlibs extra kvm_0.14.1+dfsg-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk4MZGgACgkQioOL5NhIDy6iWQCeMrdtwXMsfU06IREpsRRjVTDb
UawAn35rF52honu/EF4+5nGMWGus0rXq
=4F1R
-----END PGP SIGNATURE-----





Reply sent to Michael Tokarev <mjt@tls.msk.ru>:
You have taken responsibility. (Sat, 02 Jul 2011 14:03:08 GMT) Full text and rfc822 format available.

Notification sent to Michael Tokarev <mjt@tls.msk.ru>:
Bug acknowledged by developer. (Sat, 02 Jul 2011 14:03:08 GMT) Full text and rfc822 format available.

Message #26 received at 631975-close@bugs.debian.org (full text, mbox):

From: Michael Tokarev <mjt@tls.msk.ru>
To: 631975-close@bugs.debian.org
Subject: Bug#631975: fixed in qemu-kvm 0.12.5+dfsg-5+squeeze4
Date: Sat, 02 Jul 2011 13:59:14 +0000
Source: qemu-kvm
Source-Version: 0.12.5+dfsg-5+squeeze4

We believe that the bug you reported is fixed in the latest version of
qemu-kvm, which is due to be installed in the Debian FTP archive:

kvm_0.12.5+dfsg-5+squeeze4_amd64.deb
  to main/q/qemu-kvm/kvm_0.12.5+dfsg-5+squeeze4_amd64.deb
qemu-kvm-dbg_0.12.5+dfsg-5+squeeze4_amd64.deb
  to main/q/qemu-kvm/qemu-kvm-dbg_0.12.5+dfsg-5+squeeze4_amd64.deb
qemu-kvm_0.12.5+dfsg-5+squeeze4.diff.gz
  to main/q/qemu-kvm/qemu-kvm_0.12.5+dfsg-5+squeeze4.diff.gz
qemu-kvm_0.12.5+dfsg-5+squeeze4.dsc
  to main/q/qemu-kvm/qemu-kvm_0.12.5+dfsg-5+squeeze4.dsc
qemu-kvm_0.12.5+dfsg-5+squeeze4_amd64.deb
  to main/q/qemu-kvm/qemu-kvm_0.12.5+dfsg-5+squeeze4_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 631975@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Tokarev <mjt@tls.msk.ru> (supplier of updated qemu-kvm package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 29 Jun 2011 00:44:36 +0400
Source: qemu-kvm
Binary: qemu-kvm qemu-kvm-dbg kvm
Architecture: source amd64
Version: 0.12.5+dfsg-5+squeeze4
Distribution: stable-security
Urgency: high
Maintainer: Jan Lübbe <jluebbe@debian.org>
Changed-By: Michael Tokarev <mjt@tls.msk.ru>
Description: 
 kvm        - dummy transitional package from kvm to qemu-kvm
 qemu-kvm   - Full virtualization on x86 hardware
 qemu-kvm-dbg - Debugging info for qemu-kvm
Closes: 631975
Changes: 
 qemu-kvm (0.12.5+dfsg-5+squeeze4) stable-security; urgency=high
 .
   * virtio: guard against negative vq notifies -- fixes a guest-triggerable
     bug in virtio implementation (CVE-2011-2512) (Closes: #631975)
Checksums-Sha1: 
 cd52234a17a7d0266cb943abbae1c92cfd34fffa 1696 qemu-kvm_0.12.5+dfsg-5+squeeze4.dsc
 03fdf8cab0c8010b93bf1466f4e9003eb54ab7d4 310355 qemu-kvm_0.12.5+dfsg-5+squeeze4.diff.gz
 c790ad9d44f23c7105a91017828ee455c8719348 1613072 qemu-kvm_0.12.5+dfsg-5+squeeze4_amd64.deb
 5d7b0cf3b49e91f1192f45971d584dc3d713778b 2819218 qemu-kvm-dbg_0.12.5+dfsg-5+squeeze4_amd64.deb
 e61cf96bbe39678a1f88271965dd577ba58c9eb7 13240 kvm_0.12.5+dfsg-5+squeeze4_amd64.deb
Checksums-Sha256: 
 7cc418f9237598d181555fed9c95f9ca61fc3279c58241cacbb263bcae02a444 1696 qemu-kvm_0.12.5+dfsg-5+squeeze4.dsc
 bd6783731b5cea85956b14d18e2586a278dfb52cd58e61fe6d5a1bbf555dfbe7 310355 qemu-kvm_0.12.5+dfsg-5+squeeze4.diff.gz
 3fa2c2a2a55216d07458e8346a6551f23b76974331e171b75795e2a30cee7f26 1613072 qemu-kvm_0.12.5+dfsg-5+squeeze4_amd64.deb
 cf533fdb164c84e7867c4e87aa2fcabb95e99cb56e6924342772613ec3ea3aaa 2819218 qemu-kvm-dbg_0.12.5+dfsg-5+squeeze4_amd64.deb
 320ca0eb87fa51c510c989720f89d55d05998094e5487156d463cb1e40e658c4 13240 kvm_0.12.5+dfsg-5+squeeze4_amd64.deb
Files: 
 374d6a8f183a435fe71a8a9df7b65894 1696 misc optional qemu-kvm_0.12.5+dfsg-5+squeeze4.dsc
 9a46867c5a5224e20663b2432aabcfe0 310355 misc optional qemu-kvm_0.12.5+dfsg-5+squeeze4.diff.gz
 1c75f68dd0eeacd513c68ad28133f091 1613072 misc optional qemu-kvm_0.12.5+dfsg-5+squeeze4_amd64.deb
 266242ac3d7c2bab21efd7449caa710a 2819218 debug extra qemu-kvm-dbg_0.12.5+dfsg-5+squeeze4_amd64.deb
 c68703d71b408bdf6b1e0056b92e5e0c 13240 oldlibs extra kvm_0.12.5+dfsg-5+squeeze4_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk4NjkIACgkQioOL5NhIDy54nwCg3GFgIbFjEe2XZ4rqeNqXIW40
Kn0An1zzDsfTDsRK+YJbeQrtv5scE7vR
=g1wB
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 09 Oct 2011 07:36:48 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 13:17:59 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.